EC2 instance roles

Question 1

What is the main purpose of using IAM roles?

Answer 1

In general, IAM roles are the best practice ways for services to be granted permissions.

Question 2

What do EC2 Instance roles do?

Answer 2

EC2 instance roles are roles that an instance can assume and anything
running in that instance has the permissions that role grants.

Question 3

How do EC2 instance roles work?

Answer 3

An IAM role must be defined with a permissions policy.

Then the EC2 instance role allows the EC2 service to assume that role.

Question 4

What is the instance profile and what does it do?

Answer 4

The instance profile is the item that allows the permissions to get inside the instance. When you create an instance role in the console, an instance profile is created with the same name.

Question 5

Once an IAM role is assumed, how are credentials passed through to the instance?

Answer 5

Via the meta-data.

Question 6

Do the credentials provided to the instance as result of assuming a role expire?

Answer 6

EC2 and the secure token service ensure the credentials never expire.

Question 7

Mention some key facts about credentials inside meta-data:

Answer 7

Credentials can be found in iam/security-credentials/role-name
Credentials are automatically rotated - always valid - as long as that role is attached to the

Question 8

Why are roles important?

Answer 8

Because you should always use roles compared to storing long term credentials (for example, access keys…).

Question 9

Do CLI tools use role credentials automatically?

Answer 9

Yes.